DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Follow-up on the Gulf Coast Health Care Services breach

Posted on November 26, 2012 by Dissent

Back on November 10, I noted that HHS’s breach tool had added an entry for Gulf Coast Health Care Services:

Gulf Coast Health Care Services  in Florida suffered a network compromise on August 17 that reportedly affected 13,000 patients. The incident was reported to HHS as “Theft, UnauthorizedAccess/Disclosure, Hacking/IT Incident”,Network Server.

I commented at the time, ” I really wish HHS would refine their response categories.” After finding out more about the breach, I’m even more convinced that we would all benefit if HHS refined its reporting form.

Based on my interview with Craig Brimm, Privacy Officer for the firm,  this was a messy insider breach that actually started in June 2012 (not August 17, as indicated on HHS’s breach tool)  after a psychiatrist left their practice and started calling patients to recruit them for her new practice.  It is not clear whether the psychiatrist took any patient contact information with her, but the firm later discovered that on June 29, their receptionist accessed patient databases for both of the firm’s locations and started downloading patient information.   Later investigation revealed that the same receptionist downloaded information on other occasions in August and September.   During the investigation, evidence was uncovered that  the receptionist had been in contact with both the psychiatrist and a nurse practitioner who had also left the practice. Gulf Coast believes that the receptionist supplied these two former employers with patient contact information.

Gulf Coast first discovered the breach on September 26 when patients alerted them that they were receiving unsolicited phone calls recruiting them as patients. The firm also started receiving faxed requests for the patients’ records.

The matter was referred to law enforcement on September 28.

According to Brimm, the receptionist had downloaded approximately 13,000 patients’ name, address, phone number, and date of birth.

Brimm sent PHIprivacy.net the following statement/substitute notice:

Gulf Coast Health Care Services Notice Concerning Patient Privacy Breach

11-16-2012

On September 26, Gulf Coast Health Care Services Inc. discovered that an employee had, without authorization or legitimate purpose, accessed and downloaded limited information on our patients. Forensic investigation revealed that the unauthorized access occurred on five occasions between June 29, 2012 and September 20, 2012.

The types of information accessed included patients’ names, addresses, dates of birth, and phone numbers for all patients seen in this office since 1992. The employee did not access any medical information, Social Security numbers or financial information. We believe that the data were stolen and provided to other practitioners who have used our patient contact information to try to recruit patients for their own practices. Because of the nature of this breach, we do not believe that our patients are at any risk of ID theft.

On September 28, the matter was reported to the FBI, the Sarasota Police Department, and the Florida Department of Law Enforcement. The incident was also reported to the U.S. Department of Health and Human Services Office of Civil Rights in compliance with federal law.  The breach remains under active investigation by all agencies that were notified.

Gulf Coast Health Care Services deeply regrets any distress patients may have experienced due to unsolicited phone calls from other practices. We have been working with security experts to further limit access to our patient databases, and assure patients that we care about their privacy.

If you have any questions or concerns or wish to report unsolicited contact from other practitioners, please call D. Craig Brimm, Privacy Officer at 941-343-3033 or e-mail [email protected].

Would you have guessed that this was an insider breach of this kind from HHS’s breach tool entry? Even though “unauthorized access” was included in their list of possibilities, would your first thought have been insider breach or would it have been a hack or theft?

I’m not sure how we can persuade HHS to refine their reporting tool, but having fuller information would sure be helpful.

Category: Uncategorized

Post navigation

← Follow-up: Brighton and Sussex University Hospitals NHS Trust data breach fine reduced for timely payment
Sourcefire laptop with employee data stolen →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements
  • Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says
  • Vanta bug exposed customers’ data to other customers

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.